POSTGRADUATE
SCHOOL
MONTEREY, CALIFORNIA
THESIS
by
Isaac A. Barnes
December 2018
i
THIS PAGE INTENTIONALLY LEFT BLANK
ii
Approved for public release. Distribution is unlimited.
Isaac A. Barnes
Assistant to the Special Agent in Charge, U.S. Secret Service
Department of Homeland Security
BS, U.S. Military Academy, 1994
from the
Lynda A. Peters
Second Reader
Erik J. Dahl
Associate Chair for Instruction
Department of National Security Affairs
iii
THIS PAGE INTENTIONALLY LEFT BLANK
iv
ABSTRACT
v
THIS PAGE INTENTIONALLY LEFT BLANK
vi
TABLE OF CONTENTS
I. INTRODUCTION..................................................................................................1
A. PROBLEM STATEMENT .......................................................................1
B. RESEARCH QUESTION .........................................................................3
C. RESEARCH DESIGN ...............................................................................3
D. CHAPTER OVERVIEW ..........................................................................5
viii
LIST OF FIGURES
ix
THIS PAGE INTENTIONALLY LEFT BLANK
x
LIST OF TABLES
xi
THIS PAGE INTENTIONALLY LEFT BLANK
xii
LIST OF ACRONYMS AND ABBREVIATIONS
xiii
THIS PAGE INTENTIONALLY LEFT BLANK
xiv
EXECUTIVE SUMMARY
To address the legal objections, Representatives Tom Graves (R-GA) and Kyrsten
Sinema (D-AZ) proposed the Active Cyber Defense Certainty (ACDC) Act on October 13,
2017, which creates an affirmative defense for private entities that use active measures
external to their networks to determine the location of persistent attacks on their networks
and to address the limitations of passive cyber defense measures. 3 This proposed legislation
has reshaped the conversation to include the application of deterrence theory in cyberspace
across the geopolitical boundaries between nation states, organizations, individuals, and
cyber threat actors, yet it does not address the global nature of cyberspace and the ease in
which entities can cross geopolitical borders.
1
Dennis C. Blair et al., eds., Into the Gray Zone: The Private Sector and Active Defense against Cyber
Threats (Washington, DC: George Washington University, Center for Cyber and Homeland Security,
2016); and Paul Rosenweig, Steven P. Bucci, and David Inserra, “Next Steps for US Cybersecurity in the
Trump Administration: Active Cyber Defense,” Backgrounder, no. 3188 (May 5, 2017): 11.
2
Blair et al., Into the Gray Zone, 9; and Dorothy E. Denning, “Framework and Principles for Active
Cyber Defense” (Monterey, CA: Naval Postgraduate School, December 2013), 3.
3
Active Cyber Defense Certainty Act, H.R. 4036, 115th Cong., 1st sess. (2017), https://www.congress.
gov/bill/115th-congress/house-bill/4036.
xv
Representative Edward Royce (R-CA) introduced the Cyber Diplomacy Act of
2017, a law that would create an office within the Department of State to negotiate cyber
matters on behalf of the United States abroad and “to promote an open, interoperable,
reliable, and secure internet that fosters efficiency, innovation, communication, and
economic prosperity, while respecting privacy and guarding against deception, fraud, and
theft.” 4 The Cyber Diplomacy Act of 2017 creates a mechanism to address the concerns
surrounding the use of active cyber defense measures by American companies in
cyberspace. Combining these two pieces of legislation promotes U.S. interests in
cyberspace globally while allowing private entities to engage in active cyber defense
measures external to their networks with the goal of deterring cyber-attacks; however, it
still leaves a gaping hole in U.S. cybersecurity. There is no single entity charged with
creating a coherent cybersecurity policy. In fact, numerous executive branch agencies in
the intelligence community (IC), law enforcement, the military, and the Department of
Homeland Security are charged with various aspects of cybersecurity policy creation and
implementation.
The U.S. government, due to the 9/11 Commission’s findings, created a director of
national intelligence in 2005 to address IC shortfalls in the aggregation of intelligence to
prevent terrorist attacks. Likewise, the threat to national security created by the number of
diverse and disparate executive branch entities with roles in the creation and
implementation of America’s cybersecurity policy necessitates the creation of a national
director of cybersecurity. This director needs regulatory authority over private-sector
critical infrastructure and key resources (CIKR) to ensure that best practices are followed
and that the U.S. government issues a standard for the CIKR sectors to follow in
cybersecurity matters. Furthermore, the national director of cybersecurity can serve as the
coordination point for the private sector’s implementation of active cyber defense measures
as required by the ACDC Act. Combining the ACDC Act and the Cyber Diplomacy Act
of 2017, in conjunction with the creation of an empowered national director of
cybersecurity, creates a holistic policy for the United States, but an international body is
4
Cyber Diplomacy Act of 2017, H.R. 3776, 115th Cong., 1st sess. (2017), https://www.congress.gov/
bill/115th-congress/house-bill/3776/text.
xvi
still needed to manage and mitigate the disputes that will inevitably arise between nations
with the use of active cyber defense measures.
The Council of Europe and the United States recognized a need for an international
accord to homogenize global laws on cyber matters in the late 1990s. The resultant 2001
treaty, the Budapest Convention on Cybercrime, states in summary that nations should
homogenize their laws in cyberspace to increase cooperation in enforcement matters as
criminals can conduct cyber-attacks globally. 5 The North Atlantic Treaty Organization
(NATO) created the Cooperative Cyber Defence Centre of Excellence (CCDCOE) in
Tallinn, Estonia, in 2008 “to enhance the capability, cooperation and information sharing
among NATO, NATO nations and partners in cyber defence by virtue of education,
research and development, lessons learned and consultation.” 6 The CCDCOE played a key
role in authoring the Tallinn Manual 2.0 on the International Law Applicable to Cyber
Operations, which outlines the myriad of international laws in cyberspace. 7 Given this
expertise, the CCDCOE should use the Budapest Convention on Cybercrime as a
framework for disputes arising from the implementation of the ACDC Act. The
CCDCOE’s 29 centres provide the infrastructure necessary to mitigate disputes in a variety
of locales. 8 The United States should petition NATO to change the charter of the CCDCOE,
so it can be the international agency to mitigate cyber disputes between nations.
The legislative branch, the executive branch, NATO, and the private sector all have
a role to play in the implementation of active cyber defense measures. As there is at least
ambiguity surrounding the employment of active cyber defense measures, the U.S.
Congress needs to make at least some facets of active cyber defense legal. The executive
branch needs to develop a policy surrounding the legalization of active cyber defense.
NATO should explore a role in the mitigation of disputes arising between nations from the
5
Convention on Cybercrime, November 23, 2001, E.T.S. 185.
6
“Home Page,” NATO Cooperative Cyber Defence Centre of Excellence (CCDCOE), accessed May
28, 2018, https://www.ccdcoe.org.
7
Michael N. Schmitt, ed., Tallinn Manual 2.0 on the International Law Applicable to Cyber
Operations (Cambridge: Cambridge University Press, 2017).
8
CCDCOE, “Home Page.”
xvii
employment of active cyber defense measures. The private sector needs to develop the
implementation techniques.
9
Crown jewels are the key pieces of data and information a company has that make its business viable.
The loss of this information generally means a company no longer exists. Among cybersecurity
professionals, it is a common term and concept in describing what information a company must protect so
that the proper tools can be put into place. Misidentification generally means the company is spending
money to protect something that, if lost, is not critical to its business model. For an investment company,
this would include both its client account information and trading strategy, which makes it different from
other investment companies.
xviii
ACKNOWLEDGMENTS
I would like to thank my wife for her forbearance and perseverance as I worked on
this master’s program through the Naval Postgraduate School’s Center for Homeland
Defense and Security. In what is already a hectic full-time work schedule, the addition of
academe to the mix has caused her to pick up even more responsibilities raising our
children and running the household. Without her patience and incredible strength, I would
not have been able to complete this program. She is truly the yin to my yang, and I look
forward to many more years together.
Likewise, I would like to thank my children for their support through this journey.
Their interest in academics inspires me. I pray that they can use my periods of
inattentiveness—from being absorbed in the development of this thesis—as motivation
toward their own academic endeavors.
Professor Shannon Brown helped me shape, scope, and craft this study. Without
his big-picture guidance, I would still be floundering. I hope our academic journey together
has enriched him as much as it has me.
xix
you. He provided the operational and logistical support for the cohort, enabling us to focus
on academics. His work enabled us to concentrate entirely on learning.
To the Cohortians of 1703/1704, thank you. I enjoyed getting to know each and
every one of you. I loved our spirited debates both inside and outside the classroom. I
probably learned as much from each of you as I did from the classroom. I look forward to
our continued friendships.
Finally, I would like to thank the Department of Homeland Security, FEMA, and
the U.S. Secret Service for the opportunity to pursue this endeavor. DHS and FEMA’s
funding made it all possible. The U.S. Secret Service allowed me to travel two weeks per
quarter for the in-residence portion, often during times of high operational tempo, and I
sincerely appreciate it. I hope the agency can take pride in the results.
xx
I. INTRODUCTION
A. PROBLEM STATEMENT
“Cyber ‘Worm’ Hurts Corporate Earnings, Sparks $850 Million in Damage,” Newsmax, August 2,
1
2017, http://www.newsmax.com/Finance/StreetTalk/cyber-worm-notpetya-earnings/2017/08/02/id/
805374/.
2
Verizon, 2017 Data Breach Investigations Report, 10th ed. (New York: Verizon Enterprise
Solutions, 2017), 11.
3
Symantec, Internet Security Threat Report (Mountain View, CA: Symantec, 2017), 22:9.
4
Chris Pogue, The Black Report, ed. Josh Mehlman (Herndon, VA: Nuix, 2017), 15.
5
Luke Graham, “Cybercrime Costs the Global Economy $450 Billion: CEO,” CNBC, February 2,
2017, https://www.cnbc.com/2017/02/07/cybercrime-costs-the-global-economy-450-billion-ceo.html.
6
Symantec, Internet Security Threat Report, 22:9.
1
passive measures to penetrate corporate networks. 7 The cybersecurity professional must
defeat every attack while the cyber threat actor need only one success to penetrate the
network. Further exacerbating the ease with which threat actors gain access to networks,
these actors often use insiders’ credentials to penetrate networks. Eighty-four percent of
hackers use social engineering of some kind to obtain user credentials to penetrate
networks. 8 This is an indictment of cybersecurity professionals relying on single-factor
authentication—passwords—as opposed to multi-factor authentication—both something
the user knows and a physical token the user has in one’s possession. Regardless, the
number of publicized breaches in a one-year period demonstrates the ease with which cyber
threat actors penetrate networks.
With passive cyber defense measures in place, cyber threat actors averaged more
than five breaches per day in 2016. 9 To deter cyber-attacks, can other, more active
measures be employed by cybersecurity professionals to identify the source of the attack
more easily? Representatives Tom Graves (R-GA) and Kyrsten Sinema (D-AZ) proposed
the Active Cyber Defense Certainty (ACDC) Act on October 13, 2017, creating a
permissive legal framework for affirmative defense for private entities that use active
measures external to their networks to determine the location of persistent attacks on their
networks, and to address the limitations of passive cyber defense measures. 10 Proponents
and opponents of Graves and Sinema’s legislative proposal almost immediately began
publishing articles, blogs, and podcasts either supporting or excoriating the ACDC Act;
however, both sides question whether such an act could be created in a vacuum by one
7
Verizon, Data Breach Investigations Report, 6.
8
Pogue, The Black Report, 15.
9
Verizon, Data Breach Investigations Report, 11. This is figure was derived from the 1,935 attacks in
2016 (1,935 attacks/365 days = 5.3 attacks per day).
10
Active Cyber Defense Certainty Act, H.R. 4036, 115th Cong., 1st sess. (2017), https://www.
congress.gov/bill/115th-congress/house-bill/4036.
2
nation given the ease of transiting geopolitical boundaries in cyberspace because of the
myriad of international laws. 11
The Tallinn Manual 2.0 on the International Law Applicable to Cyber Operations
outlines the myriad of international laws in cyberspace. Given the ease with which
operations in cyberspace, both nefarious and legitimate, cross geopolitical boundaries, is it
plausible for America to pass the ACDC Act, which—if an entity engages in those legally
authorized behaviors—may be illegal in another nation without an international accord?
Thus far, the literature does not explore this aspect of active cyber defense.
B. RESEARCH QUESTION
Can the United States implement an active cyber defense policy without an
international body to mitigate disputes?
C. RESEARCH DESIGN
This thesis is a policy proposal document that explores the possible implementation
of active cyber defense measures by private entities as proposed by the pending ACDC
11
Chris Cook, “Hacking Back in Black: Legal and Policy Concerns with the Updated Active Cyber
Defense Certainty Act,” Just Security (blog), November 20, 2017, https://www.justsecurity.org/47141/
hacking-black-legal-policy-concerns-updated-active-cyber-defense-certainty-act/.
12
Cyber Diplomacy Act of 2017, H.R. 3776, 115th Cong., 1st sess. (2017), https://www.congress.gov/
bill/115th-congress/house-bill/3776/text.
3
Act. Specifically, it examines whether those measures can be authorized by one nation
without an international accord or body to address the inevitable disputes that will arise
because cyberspace does not respect geopolitical boundaries. Consequently, an entity could
run afoul of the laws of one nation while being entirely within the bounds of the laws of
another. This thesis concludes with policy recommendations on the feasibility of
implementing both the ACDC Act and the Cyber Diplomacy Act and shaping an
international accord or body to mitigate disputes.
The research was limited to the deployment of active cyber defense measures in
cyberspace by private entities, whose stated purpose is identifying cyber threat actors that
penetrate those networks. Building on this research, the thesis explores a potential
framework for addressing active cyber defense in the international arena. It discusses the
concept of deterrence theory in cyberspace and its application among nation-state,
corporate, individual, and cyber threat actors.
To do so, this study considered alternative courses of action, including the concept
of deterrence theory in cyberspace, and the plausibility of private entities implementing
active cyber defense measures. This process involved comparing often-contradictory
sources of literature and employing options analysis to evaluate the courses of action. The
options analysis considered the following three courses of action: the status quo (no
passage of the ACDC Act), the passage of the ACDC Act without an international accord
or body to discuss cybersecurity matters, or the passage of the ACDC Act with an
international accord or body. The criteria were as follows: legality in the United States,
international legality, and deterrence theory application in cyberspace.
The thesis presents a policy options matrix measuring each criterion as either “yes”
or “no” as described in Paul Pitman’s lecture notes on policy options analysis. 13 As active
cyber defense measures are possibly illegal, as demonstrated in the literature review, a
fictional scenario depicting the use of active cyber defense measures by a private U.S.
entity is used to facilitate the options analysis. The scenario portion of the analysis assumes
13
Paul M. Pitman, “Research Methods, Part II: Policy Options Analysis” (lecture module, Center for
Homeland Defense and Security, 2017), https://www.chds.us/coursefiles/NS4081/lectures/methods_policy_
options_analysis_v02/methods_policy_options_lec_v02.pdf.
4
that one nation has authorized active cyber defense measures while others have not and
predicts the resulting tensions caused by differing laws. It does not seek to explore the laws
of the world regarding cyberspace as other works have done, nor does it seek to recommend
which, if any, active cyber defense measures private entities should employ.
D. CHAPTER OVERVIEW
To facilitate the analysis, this thesis explores the literature on active cyber defense,
examines three different courses of action, and performs an options analysis, which
concludes with a series of policy recommendations for the legislative branch, the executive
branch, NATO, and the private sector. The literature review in Chapter II defines active
cyber defense, reviews the cyber threat landscape, and details the differences between
active and passive cyber defense measures. The chapter also delves into cybersecurity
expert opinions, explores the legal feasibility of active cyber defense measure employment
in the domestic and international legal environments, and considers the passage of the
ACDC Act in the United States. It ends with a discussion on the Law of Armed Conflict
and deterrence theory as they relate to cyberspace. Chapter III considers the possible
courses of action, and Chapter IV evaluates them using the aforementioned options analysis
criteria. Chapter V concludes with a series of recommendations for policymakers and the
private sector alike.
5
THIS PAGE INTENTIONALLY LEFT BLANK
6
II. LITERATURE REVIEW
A review of the literature on active cyber defense yields four broad categories: the
cyber threat landscape, the pursuit of active cyber defense measures, U.S. and international
laws on cyber defense, and opinions on the legality of active cyber defense measures. In
2017, Representatives Graves and Sinema proposed to legalize active cyber defense
measures undertaken by private entities in the United States via the ACDC Act, which has
reshaped the conversation to include the application of deterrence theory in cyberspace
across geopolitical boundaries between nation-states, organizations, individuals, and cyber
threat actors.
The literature review first discusses the debate over the definition of active cyber
defense to help the reader appreciate the nuanced or contradictory positions on active cyber
defense measures. It continues with a portrayal of the cyber threat landscape from both the
news media and cybersecurity companies like Nuix, TrendMicro, Trustwave, Symantec,
and Verizon Enterprise Solutions. Each of these entities publishes articles and papers
detailing cyber-attacks and outlining the threat actors and their motives. This second
category shapes the public discussion around the cyber threat, cyber threat actors, their
motives, and the most common types of attacks.
In the third section, public and private consortia examine cyber defense measures,
both passive and active, and either call for additional (i.e., more active) cyber defense
measures while making policy recommendations or submit that current passive cyber
defense measures are adequate to combat the cyber threat actors if implemented correctly
and completely. The fourth section details existing and proposed legislation in the United
States that codifies permissible actions both internal and external to an entity’s network.
The proposed ACDC Act applies recommendations, made in works such as Into the Gray
Zone by the Center for Cyber and Homeland Security, to change the laws of the United
States, so private entities may engage in active cyber defense measures outside their
networks. The act creates an affirmative defense to the Computer Fraud and Abuse Act
(18 U.S.C. § 1030) when those entities attempt to identify “persistent” attackers of their
7
networks. 14 A different U.S. legislative proposal by Representative Royce seeks to create
an office within the Department of State to negotiate cyber matters on behalf of the United
States. 15
The fifth section discusses global legal frameworks and weighs in on whether active
cyber defense measures exceed statutory authority internationally or are permissible given
current laws and court decisions. This includes organizations like NATO’s Cooperative
Cyber Defence Centre of Excellence (CCDCOE) and its examination of “154 ‘black letter’
rules governing cyber operations.” 16 The final section discusses the relevance of deterrence
theory in examining the proposed ACDC Act. Simply put, while some posit mutually
assured destruction worked well in the nuclear age but does not translate to the cyber age,
others claim that cyber threat actors will limit their cyber-attacks if reasonable certainty of
attribution exists. 17
14
Active Cyber Defense Certainty Act.
15
Cyber Diplomacy Act of 2017.
Michael N. Schmitt, ed., Tallinn Manual 2.0 on the International Law Applicable to Cyber
16
Attacks,” Small Wars Journal 12, no. 1 (January 28, 2016), http://smallwarsjournal.com/jrnl/art/law-of-
armed-conflict-attribution-and-the-challenges-of-deterring-cyber-attacks; and Jim Chen, “Cyber Deterrence
by Engagement and Surprise,” PRISM 7, no. 2 (December 21, 2017): 101–7.
18
Dennis C. Blair et al., eds., Into the Gray Zone: The Private Sector and Active Defense against
Cyber Threats (Washington, DC: George Washington University, Center for Cyber and Homeland
Security, 2016), 9; and Dorothy E. Denning, “Framework and Principles for Active Cyber Defense”
(Monterey, CA: Naval Postgraduate School, December 2013), 3.
8
on aforementioned definitions and includes all measures just short of preemptive offense. 19
In the opponent category, a news article describes Representatives Graves and Sinema’s
proposed ACDC Act is entitled “U.S. Congress Mulls First ‘Hack Back’ Revenge Law.
And Yup, You Can Guess What It’ll Let People Do.” 20 This stark contrast continues
throughout the literature.
News articles keep cyber-attacks in the forefront of the public’s mind on a nearly
daily basis. An internet news search on a single day in 2017 yielded eight articles. The
internet news site Deadline broke the story of HBO’s breach in which a hacker stole
unpublished videos and scripts and attempted to extort payment from HBO so as not to
release them. 21 The Financial Times wrote of Merck downwardly modifying its annual
performance guidance due to the breach of its networks in June 2017, which temporarily
halted production of some products. 22 An article in The Scotsman described how businesses
fail to take measures to defend networks against cyber-attacks despite their increasing
number annually. 23 A similar article on IT Pro Portal describes a study that found small
and medium-sized enterprises “are not yet heeding the warnings provided by large attacks
on global businesses [despite] more than 875,000 small and medium-sized businesses . . .
being hit by at least one cyber-attack . . . in the past twelve months.” 24 The Sun in London
19
Siobhan MacDermott, The Folded Paper: Inventing Cyberdiplomacy (North Charleston, SC:
CreateSpace Independent Publishing Platform, 2018), 89.
20
Iain Thomson, “US Congress Mulls First ‘Hack Back’ Revenge Law. And Yup, You Can Guess
What It’ll Let People Do,” Register, October 13, 2017, https://www.theregister.co.uk/2017/10/13/us_
hack_back_law/.
21
Denise Petski, “HBO Confirms It Was Hit by Cyber Attack,” Deadline, July 31, 2017,
http://deadline.com/2017/07/hbo-confirms-cyber-attack-hack-1202139202/?utm_source=dlvr.it&utm_
medium=twitter.
Pan Kwan Yuk and Mamta Badkar, “Merck Updates Guidance to Reflect June Cyber Attack,”
22
9
summarized five large-scale attacks. 25 The Christian Science Monitor published an essay
detailing a couple’s recovery from a cyber-attack and their regimen of prayer to God, in
addition to other cyber hygiene measures, as an additional layer of defense. 26 Dubai Media
extolled the virtues of the United Arab Emirates’ Computer Emergency Response Team
and the “289 cyber-attacks [it prevented] during the first quarter of 2017.” 27 RCR Wireless
News offered mitigation techniques for network function virtualization and software-
defined networking vulnerabilities. 28
Beyond these news stories, which help form public sentiment and opinion by
reporting the scope of the cyber threat issue, several companies publish (at least) annual
reports that discuss the cyber threat entities facing all critical infrastructure and key
resource (CIKR) sectors. 29 Chief Information Security Officer Chris Pogue of Nuix, a
global cybersecurity firm, has authored a report on hackers and their methodologies to help
organizations understand the psychology of the cyber threat actors behind cyber-attacks. 30
TrendMicro publishes research papers on a variety of vulnerabilities to the cyber
infrastructure and the mitigation techniques that cyber defenders should employ to
successfully defend against specific threats. One such report discusses “sinkholing,” which
25
Dan Elsom, “Five of the Worst Cases of Cybercrime the World Has Ever Seen – from Stealing Data
from One Billion Yahoo Users to Crippling the NHS,” The Sun (London), July 31, 2017, https://www.
thesun.co.uk/tech/4120942/five-of-the-worst-cases-of-cyber-crime-the-world-has-ever-seen-from-data-
theft-of-one-billion-yahoo-users-to-crippling-the-nhs/.
26
Kevin Graunke, “Shielded from Cyberattacks,” Christian Science Monitor, July 31, 2017,
https://www.csmonitor.com/Commentary/A-Christian-Science-Perspective/2017/0731/Shielded-from-
cyberattacks.
27
“Telecommunications Regulatory Authority Prevents 289 Cyber-Attacks in Q1 2017,” Dubai Media,
July 31, 2017, http://www.emirates247.com/news/emirates/telecommunications-regulatory-authority-
prevents-289-cyber-attacks-in-q1-2017-2017-07-31-1.656939.
28
Nathan Cranford, “How to Protect NFV and SDN from Cyber Attacks,” RCR Wireless News, July
31, 2017, http://www.rcrwireless.com/20170731/nfv/how-to-protect-nfv-and-sdn-from-cyber-attacks-
tag27-tag99.
29
Department of Homeland Security, National Infrastructure Protection Plan (NIPP) 2013:
Partnering for Critical Infrastructure Security and Resilience (Washington, DC: DHS, 2013), 9. The U.S.
government defines the CIKR sectors.
30
Pogue, The Black Report.
10
redirects malicious internet traffic to an internet address that hosts no content. 31 Another
report outlines 11 different attacks between May 2016 and August 2017. That report details
instances of attackers using misconfigurations in security settings to penetrate systems,
causing disruption and harm to the intelligent transportation system and the mitigation
techniques its operators should employ. 32 Trustwave’s 2017 annual security report details
cyber-attacks of the previous year, arguing that cyber-security professionals need to shift
from passive measures to active ones. 33 Symantec’s 2017 Internet Security Threat Report
outlines the 2016 attack vectors and threat actors—including espionage, email attacks, and
the underground economy enabled by cybercrime—and offers recommendations for
mitigating the cyber threat. Symantec’s report briefly discusses new attack vectors the
internet of things introduces to the cyber realm. 34 Verizon’s 2017 Data Breach
Investigations Report details the threat to each of the CIKR sectors, the attack vectors that
threat actors pursue, and mitigation techniques that entities need to employ to combat those
cyber threats. 35 Each of the aforementioned documents by cybersecurity companies helps
shape the public understanding of various cyber threat actors, the methods they use, and
the CIKR sector or sectors they will most likely attack.
31
David Sancho and Ranier Link, “Sinkholing Botnets” (technical paper, TrendMicro, 2011); and
Margaret Rouse and Matthew Haughn, “What Is Botnet Sinkhole?” Tech Target, June 2014, http://whatis.
techtarget.com/definition/botnet-sinkhole.
32
Numaan Huq, Rainer Vosseler, and Morton Swimmer, “Cyberattacks against Intelligent
Transportation Systems: Assessing Future Threats to ITS” (research paper, TrendMicro, 2017), 4. Many
global locales are implementing aspects of ITS to improve traffic flow and the efficiency of public
transportation (e.g., by adjusting schedules to accommodate usage) and to decrease the response time of
emergency vehicles to calls for service. Disruptions to these networks may cause gridlock. Even worse,
they may lead to false calls for emergency response. Securing these networks as they continue to come
online is a public safety concern.
33
Trustwave, 2017 Trustwave Global Security Report (Chicago: Trustwave Holdings, 2017), 1.
34
Symantec, Internet Security Threat Report, 22:64.
35
Verizon, Data Breach Investigations Report.
11
professionals in his work. 36 Other works describe the cybersecurity threat, as exemplified
by M. Mitchell Waldrop’s article in Nature that suggests individuals and organizations
need to understand the psychology of cyber threat actors to better defend against them. 37
These and other similar works focus public conversation on the ease with which cyber
threat actors attack entities, public and private alike, which calls for more—or different—
cybersecurity measures.
The aforementioned documents detail the undeniable fact that there is a multitude
of cyber threats across all CIKR sectors. These documents also offer a glimpse into the
havoc cyber-attacks cause in CIKR sectors as well as possible mitigation techniques. The
next set of documents presents research into passive and active cyber defense measures
and offers recommendations for policymakers. A healthy debate among cybersecurity
professionals regarding various recommendations permeates the worldwide discussion.
The recommendations are either to permit more active measures by private entities or to
restrict their usage to government entities and limit private entities to passive cyber defense
measures. Proponents of allowing private entities to engage in active cyber defense
measures in the United States often cite a 2006 Government Accountability Office report
that states “about 85 percent of the nation’s critical infrastructure is owned by the private
sector.” 38 Those citing this statistic often use it to demonstrate the decentralized nature of
CIKR sector and argue that control of implemented cybersecurity measures is beyond the
U.S. government.
Published in 2011, an NPS thesis by Tiong Pern Wong was one of the first scholarly
works to address active cyber defense measures. Wong’s seminal work limits the proposed
36
Roger A. Grimes, Hacking the Hacker: Learn from the Experts Who Take Down Hackers
(Indianapolis: Wiley, 2017).
M. Mitchell Waldrop, “How to Hack the Hackers: The Human Side of Cybercrime,” Nature 533, no.
37
Government and Private Sector Efforts Varies by Sectors Characteristics (Washington, DC: GAO, October
2006), 2.
12
implementation of active cyber defense measures to nation-states. 39 In doing so, Wong
avoids considering the legal implications of private entities engaging in active cyber
defense measures.
Dorothy Denning’s 2013 work expands on Wong’s limited framework for nation-
states to engage in active cyber defense measures. Denning offers a framework for public
and private entities alike to engage in active cyber defense based on the military construct
of missile defense. This is one of the first works calling for private entities to engage in
active cyber defense. To frame the discussion, she proposes four characteristics to consider
prior to engaging in active cyber defense activities: “scope of effects, degree of
cooperation, type of effects, and degree of automation.” 40 To illustrate these principles,
Denning explores different air defense shields, including the Patriot Missile System and
Israel’s Iron Dome, as well as the Coreflood botnet takedown. 41 Clearly, missile defense is
rooted in the construct of deterrence. The capability of intercepting missiles limits the
effectiveness of launching them. More devastating still is the ability to accurately identify
the launch point of missiles and immediately deploy a counter-attack. Such an ability deters
individuals from locating themselves at the launch site. Similarly, in cyberspace, certain
attribution of an attack limits an individual’s willingness to engage by changing the value
proposition. The increased likelihood of identification deters nefarious behavior in
cyberspace. Deterrence theory is discussed more fully toward the end of the literature
review.
In 2015, Michael Amao expanded on Denning’s work with his thesis for Utica
College. Amao proposes that active cyber defense measures have the potential to mitigate
cybercriminal activity. 42 Without explicitly exploring the concept of deterrence theory in
cyberspace, Amao’s thesis posits that active cyber defense measures can blunt
Tiong Pern Wong, “Active Cyber Defense: Enhancing National Cyber Defense” (master’s thesis,
39
In 2016, George Washington University’s Center for Cyber and Homeland Security
gathered a large group of professionals, academics, and cyber experts to discuss active
cyber defense measures, the legality thereof, and which (if any) measures should be
included in an active cyber defense framework. Former Secretary of Homeland Security
Michael Chertoff partnered with Former Director of National Intelligence Admiral Dennis
Blair to lead this effort. It resulted in the publication of a report that examines internal and
external measures private entities could undertake and offers a series of recommendations
to the executive branch, the legislative branch, and the private sector to create more robust
defense mechanisms to deter cyber threat actors. 43 Some of the key recommendations are
as follows:
• The President should direct executive branch agencies to research active cyber
defense measures, issue guidance for their deployment under current laws, and
negotiate with foreign entities to develop standards and procedures for the
employment of active cyber defense measures.
• The legislative branch should update the CFAA to ensure the legality of active
cyber defense measures.
• The private sector should develop best practices and policies for the
employment of active cyber defense measures. 44
43
Blair et al., Into the Gray Zone.
44
Blair et al., 31–33.
14
more security and criminalization of behavior. 45 Many of Nieto-Gómez’s examples
describe the criminalization of intellectual-property fraud; however, this narrow focus does
not address the legitimate concern of cyber threat actors either penetrating critical
infrastructure for nefarious reasons or stealing data. Essentially, he says hacking is
behavior consistent with the American entrepreneurial spirit; instead of criminalizing it, he
suggests the government should reward and incentivize the behavior for improvements in
critical infrastructure protection. 46 Most private entities engage in the sort of “bug bounty”
program proposed by Nieto-Gómez. Grimes outlines one such program from Microsoft. 47
This thesis does not explore the different technologies across the gamut of active
cyber defense. Rather, it focuses on the possible implementation of active cyber defense
measures in a global setting. The following two figures from Blair et al. summarize the
topic well. Figure 1 depicts the spectrum from passive cyber defense measures to
increasingly active measures, sorted by risk.
45
Rodrigo Nieto-Gómez, “Cyber-Geopolitics: Geopolitical Rivalries behind the Cyber-Threat
Narratives in the United States,” Medium (blog), August 20, 2014, https://medium.com/homeland-
security/cyber-geopolitics-a45fc698a3a1. This blog post was originally published as follows: Rodrigo
Nieto Gómez, “Cybergéopolitique: De l’utilité Des Cybermenaces,” Journal Hérodote, no. 1 (2014): 98–
122.
46
Nieto-Gómez.
47
Grimes, Hacking the Hacker, 268.
48
Robert S. Dewar, CSS Cyber Defence Trend Analysis 1: Active Cyber Defense (Zurich: Center for
Security Studies, 2017), 16.
49
Dewar, 4–22.
15
Figure 1. Active Cyber Defense Measures 50
Figure 1 depicts the range of active cyber defense measures in order of increasing
risk, while Figure 2 provides a short definition of each measure, again sorted by increasing
risk. This study does not delve into the different measures included in either figure but
merely uses them to demonstrate some of the different measures included in active cyber
defense.
50
Source: Blair et al., Into the Gray Zone, 26.
16
Figure 2. Active Cyber Defense Measures Defined 51
51
Source: Blair et al., 27.
17
D. EXISTING AND PROPOSED LEGISLATION
Individuals and entities within the United States are bound by the CFAA, which
makes it illegal to improperly access computers and computer systems. 54 Several U.S.
appellate court decisions provide additional guidance. One of the first cases involved
Robert Tappan Morris, who wrote and released a computer worm that infected thousands
of computers. He had released the worm on the internet for the express purpose of showing
the security flaws of a commonly used protocol that computers used to communicate. The
computer worm self-replicated as it moved across different networks on the internet. 55
Cultural lore credits Morris with crashing the internet. The Second Circuit ruled that Morris
exceeded his level of authorized access on the infected computer systems when he released
the self-propagating worm because he did not have permission to modify the systems and,
therefore, was guilty of violating the CFAA. 56
In a more recent case, Andrew Joseph Workman appealed his conviction related to
the distribution and possession of child pornography because he said the U.S. government
Paul Rosenweig, Steven P. Bucci, and David Inserra, “Next Steps for US Cybersecurity in the
52
Trump Administration: Active Cyber Defense,” Backgrounder, no. 3188 (May 5, 2017), 1.
53
Blair et al., Into the Gray Zone.
54
Computer Fraud and Abuse Act, 18 U.S.C. § 1030 (1984).
55
United States v. Robert Tappan Morris, 928 F.2d 504, 505–506 (2nd Cir. 1991).
56
Morris, 928 F.2d at 505.
18
exceeded its level of authorized access during the execution of a lawful search warrant
when it installed beaconing technology on the pornographic images of children. The
beaconing technology notified the U.S. government of the locations of computers that
housed the images after they left the government-controlled server. The 10th Circuit Court
of Appeals, affirming the conviction, ruled that due to the good faith doctrine, the U.S.
government has authority pursuant to a search warrant to install beaconing technology
regardless of the validity of the search warrant. 57 The Department of Justice’s Computer
Crimes and Intellectual Property Section publishes guidance for the U.S. attorney based on
statutes and court decisions to assist with prosecuting violations and suspected violations
of the CFAA. 58
57
United States v. Andrew Joseph Workman, 863 F.3d 1313, 1317–1318 (10th Cir. 2017).
58
Department of Justice, Computer Crimes and Intellectual Property Section: Prosecuting Computer
Crimes (Washington, DC: Office of Legal Education, 2015).
59
Active Cyber Defense Certainty Act.
60
Kristin E. Eichensehr, “Would the United States Be Responsible for Private Hacking?,” Just Security
(blog), October 17, 2017, https://www.justsecurity.org/46013/united-states-responsible-private-hacking/.
19
FBI. 61 Additionally, both question whether some of the undefined terms in the proposed
legislation, e.g., “persistent attacker,” and the nebulousness surrounding them may
adversely limit the implementation of the act. 62
Because the internet does not recognize geopolitical boundaries, individuals and
entities routinely circumvent the globe in their interactions with others. Therefore, the
Tallinn Manual 2.0 is an invaluable document for an entity engaged internationally in any
form of cyber activity. It describes 154 laws from around the globe. 64
E. LEGAL ANALYSIS
Three facets of the legal discussion on active cyber defense appear in the literature.
The first centers on the legality of employing active cyber defense measures in the United
States using the CFAA and case law as the basis for discussion. The second centers on how
other nations’ laws view active cyber defense measures. The third, included within the
61
Robert Chesney, “Legislative Hackback: Notes on the Active Cyber Defense Certainty Act
Discussion Draft,” Lawfare (blog), March 7, 2017, https://www.lawfareblog.com/legislative-hackback-
notes-active-cyber-defense-certainty-act-discussion-draft; and Herb Lin, “More on the Active Defense
Certainty Act,” Lawfare (blog), March 24, 2017, https://www.lawfareblog.com/more-active-defense-
certainty-act.
62
Chesney, “Legislative Hackback”; and Lin, “More on the Active Defense Certainty Act.”
63
Cyber Diplomacy Act of 2017.
64
Schmitt, Tallinn Manual 2.0, i.
20
international analysis but substantial enough to receive its own section, is the Law of
Armed Conflict (LOAC).
Shane McGee, Randy Sabett, and Anand Shah disagree with Kerr’s interpretation
of case law. They claim that an entity’s active cyber defense measures to defend its
networks and/or identify the perpetrators of an attack are legal under both U.S. and
international self-defense law and common law. 67 They offer a caveat: using active cyber
defense measures is illegal if they are employed against a misattributed entity. 68 Finally,
they posit that a private entity cannot use active cyber defense measures against nation-
states because doing so may violate the Neutrality Act. 69
On a blog for the law firm Steptoe & Johnson, Eugene Volokh adds to the argument
regarding self-defense. He explains self-defense does not need to be explicitly authorized
for it to be legal under U.S. and international law. On the same blog, former National
Security Agency (NSA) general counsel Stewart Baker proposes licensing private entities
65
Orin Kerr, “Norms of Computer Trespass,” Columbia Law Review 116 (May 1, 2016): 1143.
66
Josh Goldfoot and Aditya Bamzai, “A Trespass Framework for the Crime of Hacking,” George
Washington Law Review 84, no. 6 (December 2016): 1499.
67
Shane McGee, Randy V. Sabett, and Anand Shah, “Adequate Attribution: A Framework for
Developing a National Policy for Private Sector Use of Active Defense,” Journal of Business &
Technology Law 8, no. 1 (2013): 13–20.
68
McGee, Sabett, and Shah, 37.
69
McGee, Sabett, and Shah, 44.
21
to perform active cyber defense measures to ensure that only trained professionals engage
in the identification of cyber threat actors who penetrate networks and to promote
accountability in those using the tools. 70
Raymond Collin’s master’s thesis from Utica College echoes the objections raised
by Kerr and others regarding the legality of such measures and posits that the law should
change to allow private entities to use them. Collins adds that fully developing a capability
to conduct active cyber defense measures will also require a corporate cultural shift and an
investment in infrastructure. 73 Jautau White’s 2017 dissertation asserts 85 percent of
cybersecurity professionals will employ active cyber defense measures if they are feasible
and legal. Thus, the shift in corporate culture may have already occurred. 74
70
Steptoe & Johnson, “The Hackback Debate,” Steptoe Cyberblog, November 2, 2012, http://www.
steptoecyberblog.com/2012/11/02/the-hackback-debate/.
71
MacDermott, The Folded Paper, 116.
72
McGee, Sabett, and Shah, “Adequate Attribution,” 15.
73
Raymond Martin Luther Collins, “Proactive Cybersecurity through Active Cyber Defense” (master’s
thesis, Utica College, 2017), 29.
74
Jautau Kelton White, “Impact of Protection Motivation Theory and General Deterrence Theory on
the Behavioral Intention to Implement and Misuse Active Cyber Defense” (PhD diss., Capella University,
2017), 83.
22
2. International Legal Analysis
The debate over the international legality of active cyber defense measures is as
varied as the domestic debate. To understand the common framework for the debate, the
Council of Europe and the United States recognized a need for an international accord to
homogenize global laws on cyber matters in the late 1990s. The resultant 2001 treaty, the
Budapest Convention on Cybercrime, states in summary that nations should formulate their
laws governing cyberspace along the following guidelines:
• Every network has a base level of authorized access. Entities that exceed that
level of authorized access violate the law.
• Parties that subscribe to the treaty shall cooperate with other nations to
enforce these principles and share information pursuant to the appropriate
legal measure to allow the extradition and prosecution of perpetrators of acts
contrary to those provisions.
• Criminal liability does not attach to measures used for the protection of
computers and computer networks.
23
• The European Committee on Crime Problems (CDPC) shall settle disputes
between signatories. 75
75
Convention on Cybercrime, November 23, 2001, E.T.S. 185.
76
Alexander Seger, “The Budapest Convention on Cybercrime: A Framework for Capacity Building,”
Global Cyber Expertise Magazine, vol. 2, November 2016, 40.
77
William A. Owens, Kenneth W. Dam, and Herbert S. Lin, eds., Technology, Policy, Law, and Ethics
Regarding U.S. Acquisition and Use of Cyberattack Capabilities (Washington, DC: National Academies
Press, 2009), 34.
78
Jack Goldsmith, “Cybersecurity Treaties: A Skeptical View,” in Future Challenges in National
Security and Law, ed. Peter Berkowitz (Palo Alto, CA: Hoover Institution Task Force on National Security
and Law, Stanford University, February 2011), 2.
79
Jon. R. Lindsay, “The Impact of China on Cybersecurity: Fiction and Friction,” International
Security 39, no. 3 (Winter 2014): 42, https://doi.org/10.1162/ISEC_a_00189.
80
Lindsay, 41.
81
MacDermott, The Folded Paper, 89–94.
82
Erica D. Borghard and Shawn W. Lonergan, “Why Are There No Cyber Arms Control
Agreements?,” Defense One, January 18, 2018, http://www.defenseone.com/ideas/2018/01/why-are-there-
no-cyber-arms-control-agreements/145289/.
24
nature of cyberspace vis-à-vis the physical nature of conventional weapons. There are
limited places to hide conventional weapons and munitions. Conversely, because
weaponized software can be hidden virtually anywhere, adversaries must have complete
access to a nation’s networks to verify compliance with agreements, thus preventing a
nation from having secrets whatsoever. 83
Owens, Dam, and Lin propose that active cyber defense measures are permitted
under LOAC because it is a self-defense activity, which is explicitly permitted. 87 Building
on this theme, the cyber threat actors who engage in cyber-attacks commit actions
83
Borghard and Lonergan.
84
William H. Taft IV, “The Law of Armed Conflict after 9/11: Some Salient Features,” Yale Journal
of International Law 28, no. 2 (2003): 319.
85
Taft, 319.
86
Taft, 320–21.
87
Owens, Dam, and Lin, Technology, Policy, Law, and Ethics, 244.
25
previously limited to nation-states because of the ease by which lesser entities can develop
weapons, which when compared to conventional arms, are capable of delivering
tremendous devastation to both governmental and non-governmental organizations. As
such, a combination of both LOAC and the criminal statutes apply. 88 Owens, Dam, and
Lin call for explicit authorization to use active cyber defense measures through a
modification to the CFAA, which the proposed ACDC Act provides. 89
Tromp’s views of LOAC strongly differ from those of Owens, Dam, and Lin.
Tromp argues the same low barriers to entry, which they view as authorizing activities,
prohibit action. 90 Tromp maintains that active cyber defense measures violate the theory
of neutrality because attacks and attributional actions routed through innocent parties or
neutral bystanders violate the sovereignty of those trespassed. Therefore, any counter-
actions, which Owens, Dam, and Lin argue are authorized, are violations of LOAC. 91 From
Tromp’s perspective, the proposed ACDC Act is not feasible.
As Owens, Dam, and Lin demonstrate, both LOAC and national cybersecurity laws
apply to matters in cyberspace. Cyber threat actors, given their tactics and lack of
identifiable markings, may meet the definition of terrorists as Taft discusses regarding the
war on terror. 92 As Taft astutely recognizes, this does not mean these actors have no
protections under LOAC, but it does mean they can be treated differently. Nonetheless,
legislation like the ACDC Act and the Cyber Diplomacy Act of 2017 can help sort through
the ambiguity of the current legal framework and settle the debate.
F. DETERRENCE THEORY
Just as scholars disagree on the legality of active cyber defense measures employed
under the current legal framework, they also disagree on the concept of deterrence in
88
Owens, Dam, and Lin, 22.
89
Owens, Dam, and Lin, 72.
90
Tromp, “Law of Armed Conflict.”
91
Tromp.
92
Taft, “The Law of Armed Conflict after 9/11,” 323.
26
cyberspace. Joshua Tromp argues deterrence does not apply to cyberspace because the
barriers to entry are virtually non-existent—in contrast to an entity attempting to develop
a chemical or nuclear weapon for which the barriers are numerous. Consequently, almost
anyone can attempt to compromise a network. 93 Tromp adds that because attribution is
extremely difficult in cyberspace given the ease with which traffic can be routed through
different networks, no deterrence can exist. 94 Tromp concludes that nearly every active
cyber defense measure violates the theory of proportionality in law, which states the
punishment should fit the crime. 95
Mariarosaria Taddeo echoes the same concerns as Tromp. Her concern centers
primarily around the limited barriers to entry and success in the cyber weapons realm that
if countered by a more powerful force engaged in active cyber defense, would pose a
serious threat of escalation. 98 Similar to Tromp, she maintains that the difficulties
associated with attribution limit the deterrent effect of active cyber defense and that the
93
Tromp, “Law of Armed Conflict.”
94
Tromp.
95
Tromp.
96
Chen, “Cyber Deterrence by Engagement and Surprise,” 105.
97
Joshua Higgins, “Industry: New House Bill Lays Groundwork for Policy Dialogue on Active Cyber
Defense,” Inside Cybersecurity, March 7, 2017, http://libproxy.nps.edu/login?url=https://search.proquest.
com/docview/187507644 5?accountid=12702.
98
Mariarosaria Taddeo, “The Limits of Deterrence Theory in Cyberspace,” Philosophy & Technology
31, no. 3 (September 2018): 339, https://doi.org/10.1007/s13347-017-0290-2.
27
relative difficulty of demonstrating capabilities in cyberspace—holding a military parade
in the conventional sense—limits the effectiveness of deterrence. 99 Taddeo’s analysis falls
short in acknowledging how active cyber defense measures will help increase attribution,
as Chen articulates.
Richard Andres believes the United States generally self-deters from retaliating
against cyber-attacks due to a lack of political will in the nation. 100 He uses the examples
of the public’s inability to grasp the loss and the difficulty in attribution as reasons. 101 As
other scholars have demonstrated about improvements in technology, the ability of cyber
defenders to attribute cyber-attacks to threat actors will continue to improve, which lessens
Andres’ concern. Furthermore, Herath and Rao discuss that the will to enforce rules or laws
has a tremendous deterrent effect on poor behavior in cyberspace. 102
Hoffman and Levite discuss how most governments treat their responsibility for
security of the private sector differently in cyberspace than in the physical realm, which
has encouraged the behavior of cyber threat actors. 103 Thus, if governments allow private
entities to engage in active cyber defense, the cumulative effect is deterrence of poor
behavior because it will reduce the benefits derived by the cyber threat actors because they
are unsure of the attributional capabilities of cybersecurity professionals. 104 Hoffman and
Levite call for governments worldwide to allow private entities to engage in active cyber
defense, which will result in increased security for everyone. 105
Although almost everyone agrees the world has an increasing cyber threat problem
and that more needs to be done to combat the issue, the method to solve the problem brings
99
Taddeo, 342.
100
Richard Andres, “Cyber Gray Space Deterrence,” PRISM 7, no. 2 (December 21, 2017): 92.
101
Andres, 97.
102
Tejaswini Herath and H. Raghav Rao, “Protection Motivation and Deterrence: A Framework for
Security Policy Compliance in Organisations,” European Journal of Information Systems 18, no. 2 (2009):
112, https://doi.org/10.1057/ejis.2009.6.
103
Wyatt Hoffman and Ariel E. Levite, Private Sector Cyber Defense: Can Active Measures Help
Stabilize Cyberspace? (Washington, DC: Carnegie Endowment for International Peace, 2017), 3.
104
Hoffman and Levite, 18.
105
Hoffman and Levite, 41.
28
widely varying techniques to the forefront. Some suggest current passive cybersecurity
techniques need to be employed more effectively by shoring up basic cyber hygiene
processes. Others propose that current passive cybersecurity techniques are inadequate, and
laws need to change to allow the employment of active cyber defense measures by private
entities. Representatives Graves and Sinema’s proposed ACDC Act has brought to light an
entirely new discussion on whether deterrence is even possible in cyberspace. Deterrence
theory in cyberspace differs from deterrence theory in the nuclear age, wherein mutually
assured destruction ensured nations did not employ their nuclear arsenals against one
another. As several scholars have indicated, the barriers to entry into the cyber realm are
almost non-existent, which changes the players and the dynamic in which they interact. To
argue there can be no deterrence in cyberspace discounts how the smallest of actions impact
behavior, as Herath and Rao as well as Chen detail in their respective works.
G. CONCLUSION
In reviewing the literature, all parties agree cybersecurity is a national security issue
for America and the world. Cyber incidents increase year after year as demonstrated in the
publications of cybersecurity firms. The proposed techniques to address the issue vary from
the better implementation of passive cyber defense measures to calls for more active
measures. Legal scholars argue over the legality of active measures domestically and
internationally as well as the efficacy of the measures and their ability to deter cyber threat
actors. Representatives Graves and Sinema proposed legislation to create a positive defense
through the employment of active cyber defense measures under the CFAA, which
reframes the discussion. Coupling the ACDC Act with Representative Royce’s Cyber
Diplomacy Act of 2017 may reduce many of the objections. The remainder of this thesis
explores different courses of action for the implementation of active cyber defense
measures to increase the common defense.
29
THIS PAGE INTENTIONALLY LEFT BLANK
30
III. COURSES OF ACTION
This course of action leaves everything as it currently stands. The ACDC Act has
not passed the U.S. Congress, nor has similar legislation passed the legislative branch of
any other nation. Active cyber defense measures, which exceed authorized levels of access,
are at least arguably illegal as detailed in U.S. legal debate and the Tallinn Manual 2.0.
Furthermore, this course of action assumes civil and possibly criminal actions will increase
against entities engaged in active cyber defense measures—using logic proposed by
MacDermott and others—as they shore up their cyber postures.
This course of action assumes only the ACDC Act is passed; there are no other
changes to U.S. legislation or the international legislation detailed in the Tallinn Manual
2.0. This course of action assumes the U.S. Congress passed and the President signed the
ACDC Act, which creates an affirmative defense for private entities to employ active cyber
defense measures external to their networks upon notification to federal law
enforcement. 106
106
Active Cyber Defense Certainty Act.
31
C. COURSE OF ACTION C: INTERNATIONAL BODY TO ADDRESS
CYBER DISPUTES
This course of action assumes the ACDC Act is passed, the U.S. creates a national
director of cybersecurity as detailed in this chapter, and the Cyber Diplomacy Act of 2017
is passed. It further explores different bodies to mitigate disputes and makes a
recommendation as to which body should mitigate any disputes that will inevitably arise
as a result the ACDC Act’s passing.
The U.S. government created a director of national intelligence in 2005 due to the
9/11 Commission’s findings. Despite the model to have the various intelligence community
(IC) members report to a single authority to facilitate a unified national intelligence plan,
there is no single authority in the executive branch responsible for creating a unified
cybersecurity policy. The head of the Department of Defense’s U.S. Cyber Command is
dual-hatted as the director of the NSA (an IC member). The Department of Homeland
Security’s National Protection and Programs Directorate oversees both the Office of
Cybersecurity and Communications and the Office of Cyber and Infrastructure Analysis.
The Department of Commerce’s National Institute of Standards and Technology publishes
and maintains the Cybersecurity Framework, which is mandated for use by the Department
of Health and Human Services for the healthcare industry. The Department of Justice’s
criminal division oversees the Computer Crimes and Intellectual Property Section. In the
federal law enforcement arena, the U. S. Secret Service is responsible for investigating
crimes against the financial infrastructure committed by individuals; the Federal Bureau of
Investigation enforces laws pertaining to both crimes committed by individuals and those
for the purpose of espionage; U.S. Immigration and Customs Enforcement’s Homeland
Security Investigations division is responsible for investigating intellectual property fraud,
which includes child pornography; and the Internal Revenue Service, among other
agencies, has a cyber-crimes division. Those are a small sampling of federal law
enforcement agencies with an interest in cybersecurity. The Federal Reserve Bank, a quasi-
government entity, regulates a large percentage of America’s banks and requires the
32
banking industry utilize the Federal Financial Institutions Examination Council’s
cybersecurity framework.
The lack of a cohesive cybersecurity policy is also attributed to the cyber threat
landscape. Nation-states, criminal syndicates, and hacktivist organizations all occupy the
cyber threat space and have different motives and targets. Criminal syndicates attempt to
steal easily monetized data. Hacktivist organizations generally try to embarrass
organizations to correct a perceived wrong. Nation-state attacks may be offensive, gather
intelligence, or involve monetary motivations. 110 Each group uses different attack vectors
and methodologies; however, the most common attack vector for all groups involves the
107
Government Accountability Office, Critical Infrastructure Protection, 2; and Verizon, Data Breach
Investigations Report, 11.
108
Owens, Dam, and Lin, Technology, Policy, Law, and Ethics, 56.
109
Other homeland security professionals are increasingly arriving at the same conclusion as evidenced
by articles like the following: David H. Petraeus and Kiran Sridhar, “The Case for a National Cybersecurity
Agency,” Politico, September 5, 2018, https://politi.co/2MOCnMh.
110
Jim Finkle, “North Korea Likely behind Taiwan SWIFT Cyber Heist: BAE,” Reuters, October 16,
2017, https://www.reuters.com/article/us-cyber-heist-north-korea-taiwan/north-korea-likely-behind-taiwan-
swift-cyber-heist-bae-idUSKBN1CL2VO.
33
use of stolen credentials. 111 Because of the differing motivations, organizations that
properly identify crown jewels can ascertain which protective measures to employ to
mitigate attack vectors. 112 Consequently, the differing motivations of cyber threat actors
should not prevent a cohesive national policy. Furthermore, one of the advantages in the
cyber threat landscape can be information sharing between entities (e.g., public, private,
and academic) about the differing attack vectors. Entities can implement specific controls
to thwart attacks.
111
Verizon, Data Breach Investigations Report, 16.
112
Crown jewels are the key pieces of data and information a company has that make its business
viable. The loss of this information generally means a company no longer exists. Among cybersecurity
professionals, it is a common term and concept in describing what information a company must protect so
that the proper tools can be put into place. Misidentification generally means the company is spending
money to protect something that, if lost, is not critical to its business model. For an investment company,
this would include both its client account information and trading strategy, which makes it different from
other investment companies.
34
successful attack. This regulatory model is a framework to formulate the relationship
between the national director of cybersecurity and the private sector, which controls 85
percent of America’s critical infrastructure. 113
The commander of U.S. Cyber Command also serves as the director of the National
Security Agency. In addition to the elements directly under his or her control, each of the
branches of the U.S. Armed Forces has a cyber component for offensive and defensive
capabilities. Furthermore, the Defense Criminal Investigative Service, the U.S. Army’s
Criminal Investigative Division, the Naval Criminal Investigative Service, and the U.S. Air
Force’s Office of Special Investigations all have a dedicated cyber unit. Given the
membership of the NSA in the IC, it is possible the goals of U.S. Cyber Command and the
NSA may be at odds with one another. Without questioning the professionalism or the
capability of the dual-hatted individual, is it possible for a single person to mediate between
the two organizations on those occasions? Separating the roles of the commander of the
U.S. Cyber Command and the director of the NSA seems a prudent place to begin with the
creation of a national director of cybersecurity.
d. Conclusion
Considering the aforementioned items, the threat to national security created by the
number of diverse and disparate executive branch entities with a role in the creation and
implementation of America’s cybersecurity policy necessitates the creation of a national
director of cybersecurity. Furthermore, the director needs regulatory authority over private-
sector CIKR entities to ensure best practices are followed, and the U.S. government issues
a standard for the sectors to follow in cybersecurity matters. This will eliminate duplication
of effort among the executive branch because policy matters will be implemented by a
single entity. It should also have the added benefit of cost savings through the elimination
of jobs. Like the director of national intelligence’s budgetary authority over IC agencies,
113
Government Accountability Office, Critical Infrastructure Protection, 2.
35
the national director of cybersecurity should have a similar authority to ensure policy
matters in the executive branch are followed. Furthermore, as a co-equal to the director of
national intelligence, the new position can help coordinate America’s cybersecurity policy
among the IC, the military, law enforcement, and the other executive branch entities
engaged in cybersecurity activities. Finally, as with the director of national intelligence,
the national director of cybersecurity should have some budgetary control over those
entities to ensure compliance with the overarching policy. Just as the attacks on September
11, 2001, necessitated the creation of a director of national intelligence, the number of
cyber-attacks occurring annually necessitates a unifying cybersecurity policy under a
national director of cybersecurity.
114
Cyber Diplomacy Act of 2017.
36
3. Possible Bodies to Mitigate Disputes
This thesis considers three possible entities to mitigate international disputes, which
will arise unavoidably should the ACDC Act become law. The United States and 67 other
nations are signatories to the Budapest Convention on Cybercrime, which provides a
framework for countries to base cyber laws. 115 NATO’s Cooperative Cyber Defence
Center of Excellence (CCDCOE) is an expert in the laws of nations by virtue of its
involvement with the Tallinn Manual 2.0.116 Europol’s European Cybercrime Centre
(EC3) is a law enforcement information-sharing entity created for the worldwide reduction
in cybercrime. 117
The Council of Europe and the United States realized a need for consistent
legislation to address cyberspace worldwide in the late 1990s. Consequently, they gathered
representatives in Budapest to discuss the various laws of the nations to establish a
framework for permitted and prohibited activities in cyberspace. The negotiations created
the Budapest Convention on Cybercrime treatise in 2001. 118
NATO created the CCDCOE in Tallinn, Estonia, in 2008 “to enhance the
capability, cooperation and information sharing among NATO, NATO nations and partners
in cyber defense by virtue of education, research and development, lessons learned and
consultation.” 119 Currently, 20 of NATO’s member countries are also members of the
CCDCOE. To increase information sharing with the private sector, in 2009, the CCDCOE
partnered with SEB—a Scandinavian banking institution—to study cyber threat activities.
115
Convention on Cybercrime.
116
“Home Page,” NATO Cooperative Cyber Defence Centre of Excellence (CCDCOE), accessed May
28, 2018, https://www.ccdcoe.org.
117
“European Cybercrime Centre - EC3,” Europol, accessed May 28, 2018, https://www.europol.
europa.eu/about-europol/european-cybercrime-centre-ec3.
118
Convention on Cybercrime.
119
CCDCOE, “Home Page.”
37
It conducts cyber table-top exercises for both the public and private sectors to help entities
shore up cyber defenses. Finally, it contributed to the development of the Tallinn Manual
2.0, a one-stop resource for public and private entities alike to understand the
various—and often conflicting—cyber laws of all nations. 120
If the United States or another nation passes a law similar to the ACDC Act, a
mechanism for mitigating international disputes must exist to address the inevitable
disagreements between nation-states.
a. Dispute Resolution
The Budapest Convention on Cybercrime, the CCDCOE, and EC3 all have
mechanisms for sharing information with members and non-members. The Budapest
Convention on Cybercrime has a specific entity—the European Committee on Crime
Problems (CDPC)—for mitigating disputes between members. The education wing of the
CCDCOE and the strategy section of EC3 have outreach mechanisms embedded in their
120
CCDCOE, “Home Page”; and Schmitt, Tallinn Manual 2.0.
121
Europol, “European Cybercrime Centre.”
122
Europol.
38
core, which could be used by nations to facilitate dispute mitigation. Each of the
aforementioned organizations has strengths and weaknesses in mitigating disputes.
The CDPC’s mechanism for resolving disputes has been criticized for its lack of
use and enforcement mechanisms by the signatories. Goldsmith cites the Budapest
Convention on Cybercrime, which explicitly allows for the defense of computer networks
as a justification for violating other protections under the treatise. 123 Goldsmith argues that
a nation could attempt to justify its interests as a defensive measure in allowing for the
attack on a sector or infrastructure otherwise protected by the treatise. 124 The Budapest
Convention on Cybercrime further allows nations to express their reservations about any
of the clauses as they become signatories. 125 Thus, as one signatory nation expresses
reservations over a clause and a subsequent dispute arises, the CDPC would honor those
expressed concerns in any subsequent dispute mitigation. Furthermore, if a nation asserts
the violation was a defensive response to an offensive attack, it could be exempted from
censure. 126 This defense may work in favor of a nation or its private entities employing
active cyber defense measures; however, dispute mitigation may consequently be less than
satisfactory.
123
Convention on Cybercrime, art. 6, para. 2.
124
Goldsmith, “Cybersecurity Treaties: A Skeptical View,” 5.
125
Convention on Cybercrime, art. 42.
126
Convention on Cybercrime, art. 6.
39
the threat of military force, whether perceived or actual, may limit the willingness of
nations to bring disputes before the CCDCOE for mitigation.
b. Implementation Possibilities
EC3, as a law enforcement entity, is not suited for dispute mitigation. Both the
CDPC and the CCDCOE provide the knowledge of a legal framework or is itself a legal
framework, which could be used as the foundation for dispute mitigation between nations.
The advantage of using the CDPC arises from the fact that the Budapest Convention on
Cybercrime is a framework for nations to create their cyber laws. The inherent weakness
of the Budapest Convention on Cybercrime is the ability of nations to exempt themselves
from several of the clauses while still being signatories. The CCDCOE’s strength lies in its
extensive study of international laws, and by extrapolation, it can articulate how an active
cyber defense measure may infringe on the sovereignty of another.
The concern of the CCDCOE adjudicating a dispute is the threat of kinetic force by
NATO if the losing nation does not abide by the imposed corrective measures. The only
example from which any lessons can be drawn is in the Russian–Ukrainian conflict, which
is both cyber and kinetic. The kinetic attacks on Ukraine by Russia began in 2014. The
cyber-attacks most notably occurred in 2015 and 2017. 127 The kinetic warfare predates the
cyber warfare, and the later cyber-attacks are more likely extensions of the kinetic war.
Therefore, no reliable indicator exists. Certainly, nations will preserve the right to wage a
127
Kenneth Geers, ed., Cyber War in Perspective: Russian Aggression against Ukraine (Tallinn,
Estonia: CCDCOE, 2015), 8.
40
kinetic war in response to a cyber-attack, as outlined in Air Marshal Phil Collins’ UK
Ministry of Defence May 28, 2018, speech to the Royal United Services Institute in the
United Kingdom. 128
The charters of both the Budapest Convention on Cybercrime and the CCDCOE
need to be modified to become an effective mitigatory agency for disputes. The Budapest
Convention on Cybercrime would need to empower the CDPC to mitigate disputes, which
requires a change to the treatise, and ideally, nations should not be allowed to exempt
themselves from clauses to become signatories, which requires an additional change to the
treatise. If those fundamental changes were made, one can reasonably infer some nations
would withdraw from the treaty, thereby limiting its effectiveness as a tool for mediation.
The charter of the CCDCOE would need to be expanded to allow for it to serve as a
mitigation agency.
The United States does not have any organization like either the CDPC or the
CCDCOE in existence which could mitigate disputes between nations on cyber matters,
which will arise with the implementation of the ACDC Act. As a signatory to both NATO
and the Budapest Convention on Cybercrime, the United States could petition for either to
serve as a mediator between nations for disputes. Representative Royce’s proposed
legislation—the Cyber Diplomacy Act of 2017—creates an entity within the DoS to
negotiate cyber matters on behalf of the United States and, if passed, could liaise with the
identified mitigation entity. 129
c. Conclusion
The United States should petition NATO to change the charter of the CCDCOE, so
it can be the international agency to mitigate cyber disputes between nations. The
CCDCOE should use the Budapest Convention on Cybercrime as a framework for disputes
arising from the implementation of the ACDC Act. As reflected in the literature, the CDPC
128
Kevin Townsend, “UK Warns That Aggressive Cyberattack Could Trigger Kinetic Response,”
Security Week, May 25, 2018, https://www.securityweek.com/uk-warns-aggressive-cyberattack-could-
trigger-kinetic-response.
129
Cyber Diplomacy Act of 2017.
41
does not have the international regard of the CCDCOE, nor does it have the backing of
NATO as a peacemaker—similar to the 1990 wars in the Balkans where NATO forces
pacified the regional conflict. The CCDCOE’s legal expertise with its work on the Tallinn
Manual 2.0 will help with its dispute mitigation because it has the perspective of the
claimed affronts to a nation’s laws. The CCDCOE’s 29 centres provide the infrastructure
necessary to mitigate disputes in a variety of locales. 130 Thus, with the infrastructure and
the expertise in place, a slight expansion of the CCDCOE’s mission by NATO would
enable it to fulfill this role.
130
CCDCOE, “Home Page.”
42
IV. OPTIONS ANALYSIS USING A CYBER SCENARIO
Facilitating the evaluation of the courses of action presented in this thesis, the
options analysis uses the following scenario, which replicates common cyber-attack
patterns. An external cyber threat actor hacks a multi-national U.S. corporation, Cody’s
Haberdashery. During the hack, the cyber threat actor performs reconnaissance on the
network, installs keystroke logger malware on the chief financial officer’s computer, and
successfully exfiltrates Cody’s Haberdashery’s banking account credentials. Subsequently,
the cyber threat actor transfers a significant majority of Cody’s Haberdashery’s funds into
a bank account in the People’s Democratic Republic of Krasnovia—a non-signatory to the
Budapest Convention on Cybercrime. 131 The criminals then convert the stolen funds into
digital currency using a cryptocurrency exchanger that does not recognize U.S. legal
proceedings. The cybercriminals further process their ill-gotten gains through an
anonymizer. Cody’s Haberdashery notifies U.S. federal law enforcement of the breach and
its intent to use active cyber defense measures to track the internet protocol (IP) and media
access control (MAC) addresses to identify the threat actor. During the deployment of
active cyber defense measures, Cody’s Haberdashery follows the cybercriminal’s digital
evidence trail and transits the networks of RiverBend Zachary, a company located in the
Republic of Mojave—a signatory to the Budapest Convention on Cybercrime—without
causing damage and discovers the IP and MAC addresses of the threat actor located in the
People’s Democratic Republic of Krasnovia. 132 Upon realizing a third party accessed its
networks, RiverBend Zachary notifies law enforcement in the Republic of Mojave, which
identifies the IP and MAC addresses of a computer from Cody’s Haberdashery. The
Republic of Mojave subsequently indicts the chief executive officer (CEO) of Cody’s
131
“National Training Center Scenarios,” Global Security, accessed October 20, 2018, https://www.
globalsecurity.org/military/ops/ctc-ntc-scenario.htm. Both the People's Democratic Republic of Krasnovia
and the Republic of Mojave are fictional countries created by the U.S. Army for training scenarios at the
National Training Center, Fort Irvin, CA. They are used here for representational purposes.
132
Global Security, “National Training Center Scenarios.”
43
Haberdashery and obtains an arrest warrant, which is filed with INTERPOL as a red
notice. 133
A. CRITERIA
For the options analysis criteria, this thesis considers the legality of the courses of
action both within the United States and internationally as pivotal to any evaluation.
Entities concerned about the legality of their actions usually do not employ questionable
practices for fear of being held either criminally or civilly liable for their actions. Thus,
deterrence can be a strong motivator for behavior, as Herath and Rao’s 2009 study
indicates. 134 As such, deterrence is included as the third and final evaluative criteria for this
thesis.
1. Domestic Legality
2. International Legality
Because the Tallinn Manual 2.0 definitively explores the laws of nations, which are
outside the scope of this thesis, stating how different nations would judge active cyber
defense measures is nearly impossible. This thesis uses the standards of the Budapest
133
An INTERPOL red notice is used by member nations to notify other countries of extraditable
warrants for wanted persons.
134
Herath and Rao, “Protection Motivation and Deterrence,” 112.
44
Convention on Cybercrime to evaluate international legality. As previously explored, the
Budapest Convention on Cybercrime uses a similar standard of exceeding the level of
authorized access in a network as the CFAA does. Kerr argues that by definition, active
cyber defense measures exceed levels of authorized access. 135 As previously noted, the
Budapest Convention on Cybercrime permits external defensive measures for the express
purpose of protecting “a computer system.” 136 Thus, without an international body to
mitigate disputes, any employed active cyber defense measures are deemed illegal and
annotated as a “no” in Table 1. Conversely, with the empowerment of an international body
to mitigate disputes, any employed active cyber defense measures are deemed legal and
reflected as a “yes” in Table 1.
3. Deterrence
As Hoffman and Levite propose, employment of active cyber defense measures has
a deterrent effect on cyber threat actors as it reduces the illicit gains from stolen data
because some of the tools employed potentially remove the anonymity currently enjoyed
in cyberspace. 137 Using this framework, this thesis records a “yes” for the employment of
active cyber defense measures and a “no” for course of actions which do not permit active
cyber defense measures.
Using these definitions for the options analysis, Table 1 presents the findings,
which are discussed and analyzed further following the table.
135
Kerr, “Norms of Computer Trespass,” 1143.
136
Convention on Cybercrime, art. 6, para. 2.
137
Hoffman and Levite, Private Sector Cyber Defense, 18.
45
Table 1. Options Analysis
International
Domestic Legality Deterrence
Legality
Course of Action A No No No
Course of Action B Yes No Yes
Course of Action C Yes Yes Yes
When the CEO of Cody’s Haberdashery authorizes the use of active cyber defense
measures external to his network, he permits both domestic and foreign illegal activity. In
doing so, he runs afoul of the CFAA in the United States and the equivalent law in the
Republic of Mojave by permitting his corporation to exceed its level of authorized access
to RiverBend Zachary’s network. After the Republic of Mojave subsequently indicts the
CEO of Cody’s Haberdashery and seeks an INTERPOL red notice, the United States
should extradite him. Additionally, after he voluntarily provides evidence against himself
to U.S. law enforcement of his illegal activities, the local U.S. Attorney’s Office should
also indict him for violating the CFAA, further adding to his legal woes. Finally, despite
the identification of the cybercriminals in the People’s Democratic Republic of Krasnovia
and despite the lack of applicability of the exclusionary rule of evidence—because it was
collected by a private entity not acting on the government’s behalf—those cyber threat
actors are not indicted. Therefore, course of action A does not deter the Krasnovian cyber
threat actors because the evidence collected against them most likely will not be used in a
court of law. Though not reflected in Table 1, the actual deterrence likely occurred with
other U.S. corporations from using active cyber defense measures as they observed the
legal proceedings against Cody’s Haberdashery.
46
Forbes article in June 2018, entitled “CEOs: The Data Breach Is Your Fault.” 138 Given the
lack of reporting for those reasons results in fewer prosecutions of cyber threat actors occur,
which further reinforces the illegal behavior. Clearly, the status quo scenario does not
improve global cybersecurity given the negative consequences for all except the cyber
threat actor.
If the United States passes the ACDC Act without addressing the international
concerns raised by such opponents as former Department of Justice cybersecurity
prosecutor Luke Dembosky, no international body exists to negotiate on behalf of the CEO
of Cody’s Haberdashery. 139 Once the United States receives the red notice from
INTERPOL, it is on a firm legal footing to exercise Chapter 1, Article 6, paragraph 2, of
the Budapest Convention on Cybercrime, which permits external defensive measures to
protect data because the actions of Cody’s Haberdashery were expressly permitted under
U.S. law. Likewise, it is more probable that a U.S. attorney will charge the perpetrators in
the People’s Democratic Republic of Krasnovia based on evidence provided by Cody’s
Haberdashery.
Course of action B does not alleviate the international legal woes faced by Cody’s
Haberdashery, but it does provide for a positive defense to any prosecution for violation of
the CFAA, and the Budapest Convention on Cybercrime seems to support the corporation’s
actions. Because the Republic of Mojave is a signatory to the treaty, Cody’s Haberdashery
would have to mount a vigorous criminal defense in that country; however, because the
outcome of the hypothetical criminal trial cannot be predicted, the international legality of
this scenario is recorded as “no.” Given the increased likelihood of criminal prosecution of
the cyber threat actors in the United States, the deterrence of such behavior increases. Over
time, identifying cyber threat actors and a corresponding increase in criminal indictments
will deter illegal behavior in cyberspace.
138
Brian NeSmith, “CEOs: The Data Breach Is Your Fault,” Forbes, June 26, 2018, https://www.
forbes.com/sites/forbestechcouncil/2018/06/26/ceos-the-data-breach-is-your-fault/.
139
Steven Nelson, “‘Active Cyber Defense’ or Vigilantism?,” Examiner, February 7, 2018,
https://search.proquest.com/docview/1999668841?accountid=12702.
47
D. COURSE OF ACTION C: DISCUSSION
The Office of Cyber Issues under the DoS can present that evidence to the
CCDCOE as mitigating factors, which demonstrate that the actions of Cody’s
Haberdashery were defensive in nature when it transversed the networks of RiverBend
Zachary in the process of identifying the Krasnovian cyber threat actors. The Office of
Cyber Issues can invoke Chapter 1, Article 6, paragraph 2, of the Budapest Convention on
Cybercrime. The Republic of Mojave can then use that information to vacate the criminal
indictment against the CEO of Cody’s Haberdashery and issue a new indictment against
the cyber threat actors in the People’s Democratic Republic of Krasnovia. Additionally,
the United States can unseal its earlier criminal indictment against those same actors from
Krasnovia, who used the evidence uncovered by Cody’s Haberdashery during the
employment of the active cyber defense measures. The Krasnovian cybercriminals are then
publicly identified. The United States, the Republic of Mojave, and the CCDCOE request
extradition. Because a clause in the constitution of the People’s Democratic Republic of
Krasnovia forbids the extradition of its citizens to third nations, it does not comply;
however, the veil of anonymity over the Krasnovian cybercriminals has been lifted,
limiting their ability to operate and preventing them from traveling outside the country.
With course of action C, the Office of Cyber Issues presents the legally defensible
actions of Cody’s Haberdashery under U.S. law, made available through information
sharing under the national director of cybersecurity to the CCDCOE by invoking the
48
defensive clause under the Budapest Convention on Cybercrime. This, in turn, causes the
Republic of Mojave to vacate its warrant. In such a case, the actions are internationally
legal. Finally, multiple governments issue arrest warrants for the cyber threat actors,
creating a deterrence effect for others—as detailed in works like Herath and Rao’s study—
due to the increased opportunity cost for the illicit behavior. 140
Because cyber threat actors will not know the active cyber defense capabilities of
their targets, globally cybersecurity can improve as a result. Opponents may argue the use
of the information gleaned from active cyber defense measures in a public forum (e.g.,
criminal prosecutions) will enable the cyber threat actors to change their tactics. This may
occur, but the abilities of cyber defenders will increase as well, which negates this
objection. The continual increase in breaches demands that action be taken. The
combination of actions in option C will help make cyberspace a more secure environment
for all.
140
Herath and Rao, “Protection Motivation and Deterrence,” 112.
49
THIS PAGE INTENTIONALLY LEFT BLANK
50
V. RECOMMENDATIONS AND CONCLUSION
Proponents and opponents of active cyber defense measures all agree cybersecurity
is a national security issue for the nations of the world. For instance, on July 24, 2018,
German interior minister Horst Seehofer called for the use of active cyber defense measures
as he released the domestic intelligence service’s report of cyber-attacks in Germany. 141
The time has come for authorization of active cyber defense measures by private entities,
notwithstanding pithy quotes such as the following in Computer Shopper’s Zygote column:
Although the new bill is full of good intentions, it is called the Active Cyber
Defense Certainty act. This has been abbreviated by its sponsors to ACDC,
once labelled by Rolling Stone magazine as the greatest rock‘n’roll band of
all time. However, Zygote reminds the U.S. House of Representatives that
AC/DC’s greatest hit was called Highway to Hell, which is what good
intentions end up becoming. 142
A. RECOMMENDATIONS
As many others have noted, the time has come for the U.S. government to enable
the private sector the ability to engage in active cyber defense measures. The legislative
branch, the executive branch, NATO, and the private sector all have a role to play in the
implementation of active cyber defense measures. As there is some ambiguity surrounding
the employment of active cyber defense measures, the U.S. Congress needs to make at least
some facet of active cyber defense legal. The executive branch needs to develop the policy
surrounding the legalization of active cyber defense. NATO should explore a role in the
mitigation of disputes arising between nations from the employment of active cyber
defense measures. The private sector needs to develop implementation techniques. More
specifics follow in the next four sections.
Andrea Shalal and Thomas Escritt, “In Cyber, Germany Needs to Counter-Attack, Minister Says,”
141
This thesis was written as a U.S. congressional session nears its end, which means
the proposed legislation discussed throughout may expire. Regardless, this or a subsequent
session of Congress can incorporate the recommendations into current or future legislative
proposals. To remove the ambiguity surrounding the employment of active cyber defense
measures, the U.S. Congress needs to pass the ACDC Act with the following
modifications:
• The legislative branch should combine the ACDC Act and the Cyber
Diplomacy Act of 2017 to incorporate the explicit authorization of active
cyber defense measures as a positive defense to the Computer Fraud and
Abuse Act (CFAA) and the creation of an office to address cyber matters on
an international stage on behalf of the United States.
• The national director of cybersecurity should have regulatory control over the
private sector’s employment of active cyber defense measures, similar to the
Federal Reserve Board’s authority over the banking sector, to help ensure best
practices are followed.
• The legislative branch needs to amend the Cyber Diplomacy Act of 2017 to
account for the creation of the national director of cybersecurity.
• The legislative branch must remove the limiting factor in the ACDC Act for
the cooperation of the private sector with the Federal Bureau of Investigation
52
(FBI). It needs to be broadened to include any federal law enforcement agency
with jurisdiction over the CFAA and the national director of cybersecurity as
well as to account for the creation of the national director of cybersecurity and
the statutory authorization of federal law enforcement agencies in the CFAA.
• The legislative branch needs to amend the ACDC Act further to define the
concept of “persistent attack” as Lin and Chesney indicate. 143
2. Executive Branch
The President should direct the executive branch to perform the following actions:
• The executive branch should create policies and a mechanism for the private
sector to work with federal law enforcement and the national director of
cybersecurity in their employment of active cyber defense measures.
• The executive branch should separate the roles of U.S. Cybercommand and
the director of the National Security Agency to end the potential conflicts of
interest between the two roles.
143
Chesney, “Legislative Hackback”; and Lin, “More on the Active Defense Certainty Act.”
53
• The executive branch should work with NATO to change the charter of the
Cooperative Cyber Defence Centre of Excellence (CCDCOE) to enable it to
mitigate disputes between nations on the employment of active cyber defense
measures.
3. NATO
NATO and NATO’s CCDCOE play an integral role in dispute mitigation. As such,
• NATO should explore whether its charter needs to be modified to allow for
the CCDCOE to mitigate cyber disputes between nations.
• The CCDCOE should continue the legal analysis that began in its Tallinn
Manual 2.0 on the International Law Applicable to Cyber Operations.
4. Private Sector
As the implementor of legalized active cyber defense measures, the private sector
has a key role and should do the following:
• Develop best practices and policies for the employment of active cyber
defense measures 144
Blair et al., Into the Gray Zone; and Rosenweig, Bucci, and Inserra, “Next Steps for US
144
Cybersecurity.”
54
B. AREAS OF FUTURE STUDY
A third suggested area of study would be to develop more fully the employment of
active cyber defense as recommended in this thesis. How specifically will the flow work
between nations to resolve disputes? With the creation of a national director of
cybersecurity, how will the different executive branch agencies work together toward a
unified cybersecurity policy? How will the CCDCOE resolve the inevitable disputes
between nation-states? What is the mechanism to bring the disputes before the CCDCOE?
Much work remains in developing procedures for employing the recommendations from
this thesis.
145
MacDermott, The Folded Paper, 116.
146
U.S. Const. amend. II, https://www.usconstitution.net/xconst_Am2.html.
55
C. CONCLUSION
All agree the current state of cybersecurity needs to be improved globally. Though
there is significant disagreement on the employment of active cyber defense measures, this
thesis concludes that to raise the collective cybersecurity of all, active cyber defense
measures need to be legalized and employed. Doing so will deter cyber threat actors and
change their cost–benefit analysis in conducting illicit activities in cyberspace. Creating a
national director of cybersecurity to unify and coordinate the cybersecurity policy of the
United States will only strengthen the employment of active cyber defense. Likewise,
empowering NATO’s CCDCOE to mitigate disputes between nations will also facilitate
information sharing between nations, making it harder for faceless enemies to remain
anonymous.
56
LIST OF REFERENCES
Amao, Michael. “Active Cyber Defense to Fight Cybercrime.” Master’s thesis, Utica
College, 2015.
Andres, Richard. “Cyber Gray Space Deterrence.” PRISM 7, no. 2 (December 21, 2017):
91–98.
Blair, Dennis C., Michael Chertoff, Frank J. Cilluffo, and Nuala O’Connor, eds. Into the
Gray Zone: The Private Sector and Active Defense against Cyber Threats.
Washington, DC: George Washington University, Center for Cyber and
Homeland Security, 2016.
Borghard, Erica D., and Shawn W. Lonergan. “Why Are There No Cyber Arms Control
Agreements?” Defense One. January 18, 2018. http://www.defenseone.com/ideas/
2018/01/why-are-there-no-cyber-arms-control-agreements/145289/.
Chen, Jim. “Cyber Deterrence by Engagement and Surprise.” PRISM 7, no. 2 (December
21, 2017): 101–7.
Chesney, Robert. “Legislative Hackback: Notes on the Active Cyber Defense Certainty
Act Discussion Draft.” Lawfare (blog), March 7, 2017. https://www.lawfareblog.
com/legislative-hackback-notes-active-cyber-defense-certainty-act-discussion-
draft.
Cook, Chris. “Hacking Back in Black: Legal and Policy Concerns with the Updated
Active Cyber Defense Certainty Act.” Just Security (blog), November 20, 2017.
https://www.justsecurity.org/47141/hacking-black-legal-policy-concerns-updated-
active-cyber-defense-certainty-act/.
Cranford, Nathan. “How to Protect NFV and SDN from Cyber Attacks.” RCR Wireless
News. July 31, 2017. http://www.rcrwireless.com/20170731/nfv/how-to-protect-
nfv-and-sdn-from-cyberattacks-tag27-tag99.
Denning, Dorothy E. “Framework and Principles for Active Cyber Defense.” Monterey,
CA: Naval Postgraduate School, December 2013.
57
Department of Justice. Computer Crimes and Intellectual Property Section: Prosecuting
Computer Crimes. Washington, DC: Office of Legal Education, 2015.
Dewar, Robert S. CSS Cyber Defence Trend Analysis 1: Active Cyber Defense. Zurich:
Center for Security Studies, 2017.
Eichensehr, Kristin E. “Would the United States Be Responsible for Private Hacking?”
Just Security (blog), October 17, 2017. https://www.justsecurity.org/46013/
united-states-responsible-private-hacking/.
Elsom, Dan. “Five of the Worst Cases of Cybercrime the World Has Ever Seen – from
Stealing Data from One Billion Yahoo Users to Crippling the NHS.” The Sun
(London), July 31, 2017. https://www.thesun.co.uk/tech/4120942/five-of-the-
worst-cases-of-cyber-crime-the-world-has-ever-seen-from-data-theft-of-one-
billion-yahoo-users-to-crippling-the-nhs/.
Europol. “European Cybercrime Centre - EC3.” Accessed May 28, 2018. https://www.
europol.europa.eu/about-europol/european-cybercrime-centre-ec3.
Fadilpašić, Sead. “Nearly a Million UK SMEs Hit by Cyber-Attacks.” IT Pro Portal. July
31, 2017. http://www.itproportal.com/news/almost-a-million-smes-victims-to-
cyber-attacks-in-the-last-year/.
Finkle, Jim. “North Korea Likely Behind Taiwan SWIFT Cyber Heist: BAE.” Reuters.
October 16, 2017. https://www.reuters.com/article/us-cyber-heist-north-korea-
taiwan/north-korea-likely-behind-taiwan-swift-cyber-heist-bae-
idUSKBN1CL2VO.
Geers, Kenneth, ed. Cyber War in Perspective: Russian Aggression against Ukraine.
Tallinn, Estonia: CCDCOE, 2015.
Global Security. “National Training Center Scenarios.” Accessed October 20, 2018.
https://www.globalsecurity.org/military/ops/ctc-ntc-scenario.htm.
Goldfoot, Josh, and Aditya Bamzai. “A Trespass Framework for the Crime of Hacking.”
George Washington Law Review 84, no. 6 (December 2016): 1477–99.
58
Government Accountability Office. Critical Infrastructure Protection: Progress
Coordinating Government and Private Sector Efforts Varies by Sectors
Characteristics. Washington, DC: GAO, October 2006.
Graham, Luke. “Cybercrime Costs the Global Economy $450 Billion: CEO.” CNBC.
February 2, 2017. https://www.cnbc.com/2017/02/07/cybercrime-costs-the-
global-economy-450-billion-ceo.html.
Graunke, Kevin. “Shielded from Cyberattacks.” Christian Science Monitor, July 31,
2017. https://www.csmonitor.com/Commentary/A-Christian-Science-
Perspective/2017/0731/Shielded-from-cyberattacks.
Grimes, Roger A. Hacking the Hacker: Learn from the Experts Who Take Down
Hackers. Indianapolis: Wiley, 2017.
Higgins, Joshua. “Industry: New House Bill Lays Groundwork for Policy Dialogue on
Active Cyber Defense.” Inside Cybersecurity. March 7, 2017. http://libproxy.nps.
edu/login?url=https://search.proquest.com/docview/187507644 5?accountid=
12702.
Hoffman, Wyatt, and Ariel E. Levite. Private Sector Cyber Defense: Can Active
Measures Help Stabilize Cyberspace? Washington, DC: Carnegie Endowment for
International Peace, 2017.
Huq, Numaan, Rainer Vosseler, and Morton Swimmer. “Cyberattacks against Intelligent
Transportation Systems: Assessing Future Threats to ITS.” Research paper,
TrendMicro, 2017.
Kerr, Orin. “Norms of Computer Trespass.” Columbia Law Review 116 (May 1, 2016):
1143–84.
Lin, Herb. “More on the Active Defense Certainty Act.” Lawfare (blog), March 24, 2017.
https://www.lawfareblog.com/more-active-defense-certainty-act.
59
McGee, Shane, Randy V. Sabett, and Anand Shah. “Adequate Attribution: A Framework
for Developing a National Policy for Private Sector Use of Active Defense.”
Journal of Business & Technology Law 8, no. 1 (2013).
NATO Cooperative Cyber Defence Centre of Excellence. “Home Page.” Accessed May
28, 2018. https://www.ccdcoe.org.
NeSmith, Brian. “CEOs: The Data Breach Is Your Fault.” Forbes, June 26, 2018.
https://www.forbes.com/sites/forbestechcouncil/2018/06/26/ceos-the-data-breach-
is-your-fault/.
Newsmax. “Cyber ‘Worm’ Hurts Corporate Earnings, Sparks $850 Million in Damage.”
August 2, 2017. http://www.newsmax.com/Finance/StreetTalk/cyber-worm-
notpetya-earnings/2017/08/02/id/805374/.
Owens, William A., Kenneth W. Dam, and Herbert S. Lin, eds. Technology, Policy, Law,
and Ethics Regarding U.S. Acquisition and Use of Cyberattack Capabilities.
Washington, DC: National Academies Press, 2009.
Pan Kwan Yuk and Mamta Badkar. “Merck Updates Guidance to Reflect June Cyber
Attack.” Financial Times, July 31, 2017. https://www.ft.com/content/3d7ac341-
1742-3329-9a15-2dc269522d10.
Petraeus, David H., and Kiran Sridhar. “The Case for a National Cybersecurity Agency.”
Politico. September 5, 2018. https://politi.co/2MOCnMh.
Petski, Denise. “HBO Confirms It Was Hit by Cyber Attack.” Deadline. July 31, 2017.
http://deadline.com/2017/07/hbo-confirms-cyber-attack-hack-1202139202/?utm_
source=dlvr.it&utm_medium=twitter.
Pitman, Paul M. “Research Methods, Part II: Policy Options Analysis.” Lecture module,
Center for Homeland Defense and Security, 2017. https://www.chds.us/
coursefiles/NS4081/lectures/methods_policy_options_analysis_v02/methods_poli
cy_options_lec_v02.pdf.
Pogue, Chris. The Black Report. Edited by Josh Mehlman. Herndon, VA: Nuix, 2017.
Reid, Scott. “Hundreds of Thousands of SMEs Hit by Cyber Attacks.” The Scotsman,
July 31, 2017. http://www.scotsman.com/business/companies/tech/hundreds-of-
thousands-of-smes-hit-by-cyber-attacks-1-4518376.
60
Rosenweig, Paul, Steven P. Bucci, and David Inserra. “Next Steps for US Cybersecurity
in the Trump Administration: Active Cyber Defense.” Backgrounder, no. 3188
(May 5, 2017): 11.
Rouse, Margaret, and Matthew Haughn. “What Is Botnet Sinkhole?” TechTarget. June
2014. http://whatis.techtarget.com/definition/botnet-sinkhole.
Sancho, David, and Ranier Link. “Sinkholing Botnets.” Technical Paper, TrendMicro,
2011.
Schmitt, Michael N., ed. Tallinn Manual 2.0 on the International Law Applicable to
Cyber Operations. Cambridge: Cambridge University Press, 2017.
Shalal, Andrea, and Thomas Escritt. “In Cyber, Germany Needs to Counter-Attack,
Minister Says.” Reuters. July 24, 2018. https://www.reuters.com/article/us-
germany-espionage-cyber/in-cyber-germany-needs-to-counter-attack-minister-
says-idUSKBN1KE0X3.
Steptoe & Johnson. “The Hackback Debate.” Steptoe Cyberblog, November 2, 2012.
http://www.steptoecyberblog.com/2012/11/02/the-hackback-debate/.
Symantec. Internet Security Threat Report. Vol. 22. Mountain View, CA: Symantec,
2017.
Taft, William H., IV. “The Law of Armed Conflict after 9/11: Some Salient Features.”
Yale Journal of International Law 28, no. 2 (2003): 319–23.
Thomson, Iain. “US Congress Mulls First ‘Hack Back’ Revenge Law. And Yup, You
Can Guess What It’ll Let People Do.” Register. October 13, 2017. https://www.
theregister.co.uk/2017/10/13/us_hack_back_law/.
Townsend, Kevin. “UK Warns That Aggressive Cyberattack Could Trigger Kinetic
Response.” Security Week. May 25, 2018. https://www.securityweek.com/uk-
warns-aggressive-cyberattack-could-trigger-kinetic-response.
Tromp, Joshua. “Law of Armed Conflict, Attribution, and the Challenges of Deterring
Cyber-Attacks.” Small Wars Journal 12, no. 1 (January 28, 2016).
http://smallwarsjournal.com/jrnl/art/law-of-armed-conflict-attribution-and-the-
challenges-of-deterring-cyber-attacks.
61
Trustwave. 2017 Trustwave Global Security Report. Chicago: Trustwave Holdings, 2017.
U.S. Congress. House of Representatives. Active Cyber Defense Certainty Act. H.R.
4036. 115th Cong., 1st sess. (2017). https://www.congress.gov/bill/115th-
congress/house-bill/4036.
———. Cyber Diplomacy Act of 2017. H.R. 3776. 115th Cong., 1st sess. (2017).
https://www.congress.gov/bill/115th-congress/house-bill/3776/text.
Verizon. 2017 Data Breach Investigations Report. 10th ed. New York: Verizon
Enterprise Solutions, 2017.
Waldrop, M. Mitchell. “How to Hack the Hackers: The Human Side of Cybercrime.”
Nature 533, no. 7602 (May 12, 2016): 164–67. https://doi.org/10.1038/533164a.
White, Jautau Kelton. “Impact of Protection Motivation Theory and General Deterrence
Theory on the Behavioral Intention to Implement and Misuse Active Cyber
Defense.” PhD diss., Capella University, 2017.
Wong, Tiong Pern. “Active Cyber Defense: Enhancing National Cyber Defense.”
Master’s thesis, Naval Postgraduate School, 2011.
62
INITIAL DISTRIBUTION LIST
63